Computer networks use communication protocols to send packets of information. The packet header includes the address of the destination computer. Only the computer with the matching address is supposed to accept the packet. A computer that accepts all packets, including packets addressed to other computers, is said to be in promiscuous mode.
Intercepting packets in transit over a network is referred to as “sniffing.” A sniffer is a program or device that monitors and analyzes network traffic, detecting bottlenecks and problems. Using this information, a network manager can keep traffic flowing efficiently. A network router reads every packet of data passed to it, and determines whether it is intended for a destination within the router's own network or whether it should be passed further along the network. A router with a sniffer, however, may be able to read the data in the packet as well as the source and destination addresses.
The popularity of packet sniffing stems from the fact that a sniffer can read everything in the packets. Information that can be sniffed includes e-mail sent via SMTP, POP, IMAP packets; passwords transmitted in POP, IMAP, HTTP, Telnet authentication packets; files send via SMB, NFS, FTP packets; and database information sent via SQL.
Extensible Markup Language (XML) is a common language for network communications. Important electronic content and business documents are increasingly transmitted as XML-encoded messages, which are often accessed by and provide data to application programs on remote servers. Although firewalls have been the mainstay for implementing network security, they are not able to provide security at the application layer because they can only filter at the packet level and do not examine the contents of messages.
Traditional firewalls protect a network's perimeter by blocking incoming traffic using several different means. Some block all TCP ports except for port 80 (HTTP traffic); port 443 (HTTPS traffic); and port 25 (email traffic). Some ban traffic from specific IP addresses, or ban traffic based on the traffic's usage characteristics. The problem with these firewalls when it comes to XML traffic, is that many packets containing information in XML are transmitted to port 80.
XML allows developers to define new programming languages and formats. XML separates structure and content from presentation. Thus, a single XML source document can be written once, and displayed using a variety of digital devices, such as a computer monitor, a cellular-phone display, and so forth. XML has been optimized for delivery information over networks such as the World Wide Web. XML defines a family of standards for all aspects of information presentation, including markup, linking, style, structure, and metadata.
XML describes a class of data objects called XML documents. XML documents comprise storage units called entities. An XML document may consist of one or many entities. Each XML document has at least one entity called the document entity, which serves as the starting point for the XML processor and may contain the entire document.
XML documents typically begin with an XML declaration that specifies the version of XML being used. For example, the statement <?xml version=“1.0”?> at the beginning of an XML document indicates that the statements in the document conforms to Version 1.0 of XML. Text in XML documents consists of intermingled character data and markup. Markup takes the form of start-tags, end-tags, empty-element tags, entity references, character references, comments, character data (CDATA) section delimiters, document type declarations, processing instructions, XML declarations, and text declarations.
Each XML document contains one or more elements, the boundaries of which are either delimited by start-tags and end-tags, or, for empty elements, by an empty-element tag. The beginning of every non-empty XML element is marked by a start-tag “<element>”. The end of every element that begins with a start-tag must be marked by an end-tag “</element_name content>” containing the element's name as given in the start-tag. A monomer XML element can be structured as <elementname/>. The text between the start-tag and end-tag is called the element's content. Each element has a type, identified by name, and may have a set of attribute specifications. Each attribute specification can have a name and a value.
XML allows developers to impose constraints on the storage layout and logical structure of entities. The XML Schema definition language (XSD) provides a type system for XML processing environments. XML Schema also enables developers to define their own types, which are typically referred to as user-defined types (UDTs). An XML document that conforms to an XML Schema type is often referred to as an instance document. XML Schema also provides a repertoire of built-in datatypes that developers can use to constrain text.
A Document Type Definition (DTD) is a set of syntax rules for tags, and is a precursor to the XSD. A DTD specifies the tags that can be used in a document, the order the tags should appear in, which tags can appear inside other tags, which tags have attributes, and so on. A DTD can be part of an XML document, but it is usually a separate document or series of documents.
Hypertext Transfer Protocol (HTTP) is commonly utilized in distributed networks to allow a client to send multiple requests without waiting for responses from server. The HTTP header fields can be categorized as “general”, “request”, “response”, and “entity” fields. The entity fields are applicable to both request and response messages. The following lists provide examples of information that may be available in the HTTP header fields:
General Header Fields                Connection allows the sender to specify options that are desired for that particular connection and must not be communicated by proxies over further connections.        Date field represents the date and time at which the message was originated.        Pragma field is used to include implementation-specific directives that might apply to any recipient along the request/response chain.        Transfer-Encoding field indicates what (if any) type of transformation has been applied to the message body in order to transfer it between the sender and the recipient.        Via field is used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests, and between the origin server and the client on responses.        
Entity Fields                Content-Encoding field is used as a modifier to the media-type. When present, its value indicates what additional content codings have been applied to the entity-body, and thus what decoding mechanisms must be applied in order to obtain the media-type referenced by the Content-Type header field. Content-Encoding is primarily used to allow a document to be compressed without losing the identity of its underlying media type.        Content-Language field describes the natural language(s) of the intended audience for the enclosed entity. Note that this might not be equivalent to all the languages used within the entity-body.        Content-Length field indicates the size of the entity-body, in decimal number of OCTETs, sent to the recipient or, in the case of the HEAD method, the size of the entity-body that would have been sent had the request been a GET.        Content-Location field may be used to supply the resource location for the entity enclosed in the message when that entity is accessible from a location separate from the requested resource's (Universal Resource Identifier) URI.        Content-Type field indicates the media type of the entity-body sent to the recipient.        Expires field provides the date/time after which the response is considered stale.        
Response Header Fields
The first line of the server's response contains a status code. In addition to the status code, the response header may include:                Date field provides the response time (in GMT).        ETag field provides the current value of the entity tag for the requested variant.        Expires prevents caching beyond the given date.        Location field is used to redirect the recipient to a location other than the Request-URI for completion of the request or identification of a new resource.        Proxy-Authenticate field is included as part of a Proxy Authentication Required response. The field value consists of a challenge that indicates the authentication scheme and parameters applicable to the proxy for the Request-URI.        Server field contains information about the software used by the origin server to handle the request. The field can contain multiple product tokens and comments identifying the server and any significant subproducts.        WWW-Authenticate field is included in Unauthorized response messages.        
Request Header Fields                Accept field can be used to specify certain media types which are acceptable for the response. Other Accept fields can indicate character set, encoding, language, and other acceptable formats for the response.        Age field conveys the sender's estimate of the amount of time since the response (or its revalidation) was generated at the origin server.        Authorization field contains the authentication information of the user agent for the realm of the resource being requested.        Expect field is used to indicate that particular server behaviors are required by the client.        From field, if provided, contains an e-mail address for the human user who controls the requesting user agent.        Host field specifies the Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource.        Proxy-Authorization field allows the client to identify itself (or its user) to a proxy which requires authentication. The Proxy-Authorization field value consists of credentials containing the authentication information of the user agent for the proxy and/or realm of the resource being requested.        Referrer field allows the client to specify, for the server's benefit, the address (URI) of the resource from which the Request-URI was obtained (the “referrer”). The Referrer field allows a server to generate lists of back-links to resources for interest, logging, optimized caching, etc. It also allows obsolete or mistyped links to be traced for maintenance.        TE field indicates what extension transfer-codings it is willing to accept in the response and whether or not the requestor is willing to accept trailer fields in a chunked transfer-coding.        User-Agent field contains information about the user agent originating the request. This information can be used for statistical purposes, tracing protocol violations, and automatically recognizing user agents to tailor responses to avoid particular user agent limitations.        
Simple Object Access Protocol (SOAP) is a lightweight XML based protocol for exchange of information in a decentralized, distributed environment. SOAP consists of three parts: an envelope that defines a framework for describing what is in a message and how to process it, a set of encoding rules for expressing instances of application-defined datatypes, and a convention for representing remote procedure calls and responses. SOAP can potentially be used in combination with a variety of other protocols including HTTP and HTTP Extension Framework. SOAP follows the HTTP request/response message model providing SOAP request parameters in a HTTP request and SOAP response parameters in a HTTP response.